PatchSiren

catchplugins CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM catchplugins CVE published 2026-07-16

CVE-2026-15336

The Catch Themes Demo Import plugin for WordPress has a missing authorization vulnerability in versions up to and including 3.3. This is due to the catch_themes_demo_import_activate_plugin() function, hooked on admin_init when the activate_plugin GET parameter is present, calling Plugin_Upgrader::install() to download and install a plugin from WordPress.org before performing the current_user_can('activate [truncated]